{ "type": "Domain", "indicator": "rawfuns.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rawfuns.com", "alexa": "http://www.alexa.com/siteinfo/rawfuns.com", "indicator": "rawfuns.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2893765819, "indicator": "rawfuns.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "60638f7aff63f9956797e899", "name": "Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers", "description": "Beginning on March 1, 2021, Recorded Future\u2019s Insikt Group identified a large increase in victim communications to PlugX command and control (C2) infrastructure publicly attributed to the suspected Chinese state-sponsored group Calypso APT. We believe that this activity is highly likely linked to the exploitation of recently disclosed Microsoft Exchange vulnerabilities (also known as ProxyLogon \u2014 CVE-2021-26855, CVE-2021-27065). Our observations align with recent reporting by ESET in which the group was identified targeting vulnerable Exchange servers to deploy a web shell and ultimately load the PlugX malware post-exploitation.", "modified": "2021-04-29T00:03:01.245000", "created": "2021-03-30T20:52:09.917000", "tags": [ "Calypso APT", "PlugX", "Microsoft Exchange", "CVE-2021-26857", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065" ], "references": [ "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", "Calypso-IOCs.txt" ], "public": 1, "adversary": "Calypso APT", "targeted_countries": [ "United States of America", "Ukraine", "Switzerland", "Nepal", "North Macedonia", "Kazakhstan", "Italy", "India", "Germany", "Czechia", "Australia" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [ "Manufacturing", "Legal", "Finance", "Government", "Defense", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 329, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA256": 4, "FileHash-SHA1": 3, "domain": 9, "hostname": 10 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "1858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "603eb1abdd4812819c64e197", "name": "HAFNIUM targeting Exchange Servers with 0-day exploits", "description": "\"Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\"", "modified": "2021-04-10T00:05:45.332000", "created": "2021-03-02T21:44:11.611000", "tags": [ "webshell", "hafnium", "microsoft", "exchange", "server", "powercat", "covenant", "procdump", "lsass", "service", "powershell", "cn_apt", "China", "email", "Exploit", "UNC2643", "UNC2640", "UNC2639", "CVE-2021-26858", "CVE-2021-26857", "CVE-2021-27065", "CVE-2021-26855", "LuckyMouse", "Calypso", "Winnti", "Tick" ], "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://github.com/cert-lv/exchange_webshell_detection", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://twitter.com/SBousseaden/status/1368241345454870528", "https://twitter.com/JohnLaTwC/status/1368952992221700096", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://us-cert.cisa.gov/ncas/current-activity/2021/03/13/updates-microsoft-exchange-server-vulnerabilities", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a" ], "public": 1, "adversary": "HAFNIUM", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Agent.Hafnium", "display_name": "Trojan.Agent.Hafnium", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "China Chopper - S0020", "display_name": "China Chopper - S0020", "target": null }, { "id": "DLTMiner", "display_name": "DLTMiner", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Mikroceen RAT", "display_name": "Mikroceen RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "Backdoor:Win32/Korplug", "display_name": "Backdoor:Win32/Korplug", "target": "/malware/Backdoor:Win32/Korplug" }, { "id": "Winnti - S0141", "display_name": "Winnti - S0141", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1587.004", "name": "Exploits", "display_name": "T1587.004 - Exploits" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" } ], "industries": [ "Defense", "Higher Education", "Research", "Law", "NGO", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 462, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 80, "CVE": 4, "YARA": 10, "FileHash-MD5": 36, "FileHash-SHA1": 49, "hostname": 9, "URL": 2, "domain": 2 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 386615, "modified_text": "1877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Calypso-IOCs.txt", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a", "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://twitter.com/JohnLaTwC/status/1368952992221700096", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d", "https://us-cert.cisa.gov/ncas/current-activity/2021/03/13/updates-microsoft-exchange-server-vulnerabilities", "https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084b", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g", "https://github.com/cert-lv/exchange_webshell_detection", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a", "https://twitter.com/SBousseaden/status/1368241345454870528" ], "related": { "alienvault": { "adversary": [ "HAFNIUM", "Calypso APT" ], "malware_families": [ "Mimikatz - s0002", "Winnti - s0141", "China chopper - s0020", "Shadowpad", "Dltminer", "Backdoor:win32/korplug", "Cobalt strike - s0154", "Trojan.agent.hafnium", "Mikroceen rat", "Plugx - s0013" ], "industries": [ "Legal", "Government", "Manufacturing", "Law", "Finance", "Higher education", "Technology", "Ngo", "Defense", "Research" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "60638f7aff63f9956797e899", "name": "Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers", "description": "Beginning on March 1, 2021, Recorded Future\u2019s Insikt Group identified a large increase in victim communications to PlugX command and control (C2) infrastructure publicly attributed to the suspected Chinese state-sponsored group Calypso APT. We believe that this activity is highly likely linked to the exploitation of recently disclosed Microsoft Exchange vulnerabilities (also known as ProxyLogon \u2014 CVE-2021-26855, CVE-2021-27065). Our observations align with recent reporting by ESET in which the group was identified targeting vulnerable Exchange servers to deploy a web shell and ultimately load the PlugX malware post-exploitation.", "modified": "2021-04-29T00:03:01.245000", "created": "2021-03-30T20:52:09.917000", "tags": [ "Calypso APT", "PlugX", "Microsoft Exchange", "CVE-2021-26857", "CVE-2021-26855", "CVE-2021-26858", "CVE-2021-27065" ], "references": [ "https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/", "Calypso-IOCs.txt" ], "public": 1, "adversary": "Calypso APT", "targeted_countries": [ "United States of America", "Ukraine", "Switzerland", "Nepal", "North Macedonia", "Kazakhstan", "Italy", "India", "Germany", "Czechia", "Australia" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" } ], "industries": [ "Manufacturing", "Legal", "Finance", "Government", "Defense", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 329, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 4, "FileHash-SHA256": 4, "FileHash-SHA1": 3, "domain": 9, "hostname": 10 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386596, "modified_text": "1858 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "603eb1abdd4812819c64e197", "name": "HAFNIUM targeting Exchange Servers with 0-day exploits", "description": "\"Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.\"", "modified": "2021-04-10T00:05:45.332000", "created": "2021-03-02T21:44:11.611000", "tags": [ "webshell", "hafnium", "microsoft", "exchange", "server", "powercat", "covenant", "procdump", "lsass", "service", "powershell", "cn_apt", "China", "email", "Exploit", "UNC2643", "UNC2640", "UNC2639", "CVE-2021-26858", "CVE-2021-26857", "CVE-2021-27065", "CVE-2021-26855", "LuckyMouse", "Calypso", "Winnti", "Tick" ], "references": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://github.com/cert-lv/exchange_webshell_detection", "https://github.com/nsacyber/Mitigating-Web-Shells", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://twitter.com/SBousseaden/status/1368241345454870528", "https://twitter.com/JohnLaTwC/status/1368952992221700096", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://unit42.paloaltonetworks.com/china-chopper-webshell/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", "https://us-cert.cisa.gov/ncas/current-activity/2021/03/13/updates-microsoft-exchange-server-vulnerabilities", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072g", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072f", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072e", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072d", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072c", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072b", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-072a" ], "public": 1, "adversary": "HAFNIUM", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan.Agent.Hafnium", "display_name": "Trojan.Agent.Hafnium", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "China Chopper - S0020", "display_name": "China Chopper - S0020", "target": null }, { "id": "DLTMiner", "display_name": "DLTMiner", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Mikroceen RAT", "display_name": "Mikroceen RAT", "target": null }, { "id": "Mimikatz - S0002", "display_name": "Mimikatz - S0002", "target": null }, { "id": "Backdoor:Win32/Korplug", "display_name": "Backdoor:Win32/Korplug", "target": "/malware/Backdoor:Win32/Korplug" }, { "id": "Winnti - S0141", "display_name": "Winnti - S0141", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1587.004", "name": "Exploits", "display_name": "T1587.004 - Exploits" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" } ], "industries": [ "Defense", "Higher Education", "Research", "Law", "NGO", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 462, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 80, "CVE": 4, "YARA": 10, "FileHash-MD5": 36, "FileHash-SHA1": 49, "hostname": 9, "URL": 2, "domain": 2 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 386615, "modified_text": "1877 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdddd1fc2e2956bfacda5", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:53.511000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbdde0447b9617f24a8901", "name": "vvvvv", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:22:56.693000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62cbddf0c4709eb7b4d0fb94", "name": "data of hhh", "description": "The internet is full of people, but not everyone wants to see it, so here's a look at some of the more eye-catching snippets from the past few days:..com.", "modified": "2022-08-10T00:00:07.214000", "created": "2022-07-11T08:23:12.624000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "leiwen15", "id": "157128", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_157128/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3662, "URL": 250, "domain": 1592, "FileHash-MD5": 4, "email": 2 }, "indicator_count": 5510, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rawfuns.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rawfuns.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780266720.4285822 }